Skip to content

akselbork/Remove-Log4JVulnerabilityClass-

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits

README.md

README.md

 
 

Remove-Log4JVulnerabilityClass-PSv5.ps1

Remove-Log4JVulnerabilityClass-PSv5.ps1

 
 

Remove-Log4JVulnerabilityClass.png

Remove-Log4JVulnerabilityClass.png

 
 

Remove-Log4JVulnerabilityClassRemotely-PSv5-01.png

Remove-Log4JVulnerabilityClassRemotely-PSv5-01.png

 
 

Remove-Log4JVulnerabilityClassRemotely-PSv5-02.png

Remove-Log4JVulnerabilityClassRemotely-PSv5-02.png

 
 

Remove-Log4JVulnerabilityClassRemotely-PSv5.ps1

Remove-Log4JVulnerabilityClassRemotely-PSv5.ps1

 
 

Repository files navigation

Remove-Log4JVulnerabilityClass-

Log4J vulnerability Script to remove the "JndiLookup.Class" from JAR, WAR and other Java related files

SCRIPTS:

There is two diffent type of PS scripts. Output examles are add beside the scripts.

Remove-Log4J_JndiLookupClass-PSv5.ps1 (Outdated)

This script can only run locally on a computer

Remove-Log4J_JndiLookupClassRemotely-PSv5.ps1

This script can run locally or/and against remote computers.
Is now executing in a RunSpace for a default of 10 paralles sessions.

HELP

This section below, is the comment based help for "Remove-Log4J_JndiLookupClassRemotely-PSv5.ps1"

<#
.SYNOPSIS
CleanUp script for removing vulnerable Java class based on CVE-2021-45105
.DESCRIPTION
As the last resorse, the removing of the class file "JndiLookup.class" from the jar file containing it, can be necessary
This script can find all files with JAR, WAR, EAR, JPI, and HPI extension or a single specified file with the vulnerability
It can remove the string by unZipping it to a workfolder, and the reZip it back to its orginal location
You can also choose just to get a list of files that contains the class with removing the class.
The Script is running it paralle execution mode

.PARAMETER Computername
A single or collection of systems to perform the query against

.PARAMETER Credential
Credentials to query remote computers

.PARAMETER ToCSV
Name of CSV to write the results of the query to

.PARAMETER Throttle
Number of asynchronous jobs that will run at a time

.PARAMETER ShowProgress
Displays the progress of the services query

.PARAMETER file
fullname of a single file to investigate

.PARAMETER JavaClass
The class name to remove

.PARAMETER WorkFolder
The folder to where the work on the file is done
Default: "temp-log4j"

.PARAMETER RootPath
The drive the workfolder is created on
Default: "C:""

.PARAMETER Compressionlevel
What type of compression should be used
Default: "Fastest"

.PARAMETER Out
To get the result of the cleanup out as an Object

.PARAMETER onlyQuery
If only interesting in getting the numbers, and fullnames on files vulnerable

.NOTES
Author: Aksel Bork
Created: 2021-12-22
The RunSpace part is based on the article

Author: Boe Prox
Created: 2012-03-14
link: https://devblogs.microsoft.com/scripting/expert-commentary-2012-scripting-games-advanced-event-2/

2021-12-22 1 Creation
2021-12-22 1.1 Add extra extension to querystring ("*.jar","*.war","*.ear","*.jpi","*.hpi")
2021-12-22 2 Change to use "RunSpace" for paralle execution
Adding "Write-infomation" for showing INPUT data and execution time


.EXAMPLE
Remove-Log4JVulnerabilityClassRemotely -Computername $env:COMPUTERNAME -Verbose -Credential $cred -InformationAction Continue
Description
-----------
Cleanup all files found from the local system, and outputting verbose and information to console
No output data would for futher processing would be made.


.EXAMPLE
$output = Remove-Log4JVulnerabilityClassRemotely -Computername fil01 -out -onlyQuery -Credential $CRED -InformationAction Continue -Verbose
$output
Description
-----------
Query all files found on local or remote computer, and outputting verbose and information to console
Output data is stored in variable and pasted to the console.


####################################################################

[INFO][INPUT][CREDENTIAL] company\administrator
[INFO][INPUT][COMPUTERS] 1
[INFO][INPUT][FILE]
[INFO][INPUT][JAVACLASS] JndiLookup.class
[INFO][INPUT][WORKFOLDER] _temp-log4J
[INFO][INPUT][ROOTPATH] C:
[INFO][INPUT][COMPRESSION] Fastest
[INFO][INPUT][INCLUDENETWORKSHARE] False
[INFO][INPUT][WRITE OUTPUT] True
[INFO][INPUT][ONLYQUERY] True
[INFO][INPUT][VERBOSE] Continue
[INFO][INPUT][CREDENTIAL] company\administrator

####################################################################

VERBOSE: 09:32:32.3518 [BEGIN ] Creating runspace pool and session states
VERBOSE: 09:32:32.3518 [BEGIN ] Creating empty collection to hold runspace jobs
VERBOSE: 09:32:32.3674 [PROCESS] Validating that current user is Administrator or supplied alternate credentials
VERBOSE: 09:32:32.3719 [PROCESS] Adding fil01 collection
VERBOSE: 09:32:32.3719 [PROCESS] Checking status of runspace jobs
VERBOSE: 09:32:32.3835 [PROCESS] Finish processing the remaining runspace jobs:
VERBOSE: 09:32:33.3281 [BEGIN ] [FIL01] Starting
VERBOSE: 09:32:33.3281 [BEGIN ] [FIL01][INPUT][FILE]
VERBOSE: 09:32:33.3281 [BEGIN ] [FIL01][INPUT][FILE EXTENSION] *.jar, *.war, *.ear, *.jpi, *.hpi
VERBOSE: 09:32:33.3281 [BEGIN ] [FIL01][INPUT][JAVACLASS] JndiLookup.class
VERBOSE: 09:32:33.3281 [BEGIN ] [FIL01][INPUT][WORKFOLDER] _temp-log4J
VERBOSE: 09:32:33.3281 [BEGIN ] [FIL01][INPUT][ROOTPATH] C:
VERBOSE: 09:32:33.3281 [BEGIN ] [FIL01][INPUT][COMPRESSION] Fastest
VERBOSE: 09:32:33.3281 [BEGIN ] [FIL01][INPUT][INCLUDENETWORKSHARE] False
VERBOSE: 09:32:33.3281 [BEGIN ] [FIL01][INPUT][WRITE OUTPUT] True
VERBOSE: 09:32:33.3281 [BEGIN ] [FIL01][INPUT][ONLYQUERY] True
VERBOSE: 09:32:33.3281 [BEGIN ] [FIL01][INPUT][VERBOSE] True
VERBOSE: 09:32:33.3437 [BEGIN ] [FIL01][QUERING] Looking on [local] drives
VERBOSE: 09:32:33.6562 [BEGIN ] [FIL01][QUERING] Getting [local] drives
VERBOSE: 09:32:33.6562 [BEGIN ] [FIL01][QUERING][FILTERING] no smbmapped drives exits.. no filtering nessesary
VERBOSE: 09:32:33.7031 [BEGIN ] [FIL01][QUERING][DRIVE] C:\
VERBOSE: 09:33:26.5313 [BEGIN ] [FIL01][QUERING][DRIVE] S:\
VERBOSE: 09:33:26.8750 [BEGIN ] [FIL01][QUERING] files found [3]
VERBOSE: 09:33:26.8906 [PROCESS] [FIL01] Status [UNCLEANED]
VERBOSE: 09:33:26.8906 [END ] [FIL01] Ending
VERBOSE: 09:33:26.9657 [PROCESS] Closing the runspace pool
VERBOSE: 09:33:26.9814 [PROCESS] Displaying Report
####################################################################
[INFO][STARTTIME] 12/23/2021 09:32:32
[INFO][ENDTIME] 12/23/2021 09:33:26
[INFO][RUNTIME] 00d:00h:00m:54s
####################################################################

Cleaned : False
FullName : C:\_FILES\PAD.JavaBridge-2.jar | S:\Data\FILES\PAD.JavaBridge-2.jar | S:\Share\FILES\PAD.JavaBridge-2.jar
StartDate : 12/23/2021 9:24:24 AM
IpAddress : 10.0.2.201 | 10.0.0.201
Action : onlyQeury
ComputerName : FIL01
QueryDate : 12/23/2021 9:25:18 AM


.EXAMPLE
$output = Remove-Log4JVulnerabilityClassRemotely -Computername fil01 -out -Credential $CRED -InformationAction Continue -Verbose
$output

Description
-----------
Query all files found on alocal or remote computer, and outputting verbose and information to console
If string is found in a file, it is "unZipped" and string remove to be "Zipped" again
Output data is stored in variable and pasted to the console.
VERBOSE: 10:14:24.0324 [BEGIN ] Performing inital Administrator check
VERBOSE: 10:14:24.0324 [BEGIN ] Building hash table for ScriptBlock Parameters
[INFO] Starting Remove-Log4JVulnerabilityClassRemotely
####################################################################

[INFO][INPUT][CREDENTIAL] company\administrator
[INFO][INPUT][COMPUTERS] 1
[INFO][INPUT][FILE]
[INFO][INPUT][JAVACLASS] JndiLookup.class
[INFO][INPUT][WORKFOLDER] _temp-log4J
[INFO][INPUT][ROOTPATH] C:
[INFO][INPUT][COMPRESSION] Fastest
[INFO][INPUT][INCLUDENETWORKSHARE] False
[INFO][INPUT][WRITE OUTPUT] True
[INFO][INPUT][ONLYQUERY] False
[INFO][INPUT][VERBOSE] Continue
[INFO][INPUT][THROTTLE] 10
[INFO][INPUT][TOCSV]
[INFO][INPUT][SHOWPROGRESS] False

####################################################################

VERBOSE: 10:14:24.0641 [BEGIN ] Creating runspace pool and session states
VERBOSE: 10:14:24.0908 [BEGIN ] Creating empty collection to hold runspace jobs
VERBOSE: 10:14:24.0958 [PROCESS] Validating that current user is Administrator or supplied alternate credentials
VERBOSE: 10:14:24.0958 [PROCESS] Adding fil01 collection
VERBOSE: 10:14:24.0958 [PROCESS] Checking status of runspace jobs
VERBOSE: 10:14:24.1114 [PROCESS] Finish processing the remaining runspace jobs:
VERBOSE: 10:14:25.0834 [BEGIN ] [FIL01] Starting
VERBOSE: 10:14:25.0991 [BEGIN ] [FIL01][INPUT][FILE]
VERBOSE: 10:14:25.0991 [BEGIN ] [FIL01][INPUT][FILE EXTENSION] *.jar, *.war, *.ear, *.jpi, *.hpi
VERBOSE: 10:14:25.0991 [BEGIN ] [FIL01][INPUT][JAVACLASS] JndiLookup.class
VERBOSE: 10:14:25.0991 [BEGIN ] [FIL01][INPUT][WORKFOLDER] _temp-log4J
VERBOSE: 10:14:25.0991 [BEGIN ] [FIL01][INPUT][ROOTPATH] C:
VERBOSE: 10:14:25.0991 [BEGIN ] [FIL01][INPUT][COMPRESSION] Fastest
VERBOSE: 10:14:25.0991 [BEGIN ] [FIL01][INPUT][INCLUDENETWORKSHARE] False
VERBOSE: 10:14:25.0991 [BEGIN ] [FIL01][INPUT][WRITE OUTPUT] True
VERBOSE: 10:14:25.0991 [BEGIN ] [FIL01][INPUT][ONLYQUERY] False
VERBOSE: 10:14:25.0991 [BEGIN ] [FIL01][INPUT][VERBOSE] True
VERBOSE: 10:14:25.1147 [BEGIN ] [FIL01][QUERING] Looking on [local] drives
VERBOSE: 10:14:25.4272 [BEGIN ] [FIL01][QUERING] Getting [local] drives
VERBOSE: 10:14:25.4428 [BEGIN ] [FIL01][QUERING][FILTERING] no smbmapped drives exits.. no filtering nessesary
VERBOSE: 10:14:25.4897 [BEGIN ] [FIL01][QUERING][DRIVE] C:\
VERBOSE: 10:15:18.3959 [BEGIN ] [FIL01][QUERING][DRIVE] S:\
VERBOSE: 10:15:18.7553 [BEGIN ] [FIL01][QUERING] files found [1]
VERBOSE: 10:15:18.7553 [PROCESS] [FIL01][DIRECTORY] creating work folder [C:\_temp-log4J]
VERBOSE: 10:15:18.7553 [PROCESS] [FIL01][DIRECTORY] Creating folder [C:\_temp-log4J\ZIP]
VERBOSE: 10:15:18.7553 [PROCESS] [FIL01][FILENAME] C:\_FILES\PAD.JavaBridge.jar
VERBOSE: 10:15:18.7709 [PROCESS] [FIL01][COPY/RENAME] file [C:\_FILES\PAD.JavaBridge.jar] to [C:\_temp-log4J\PAD.JavaBridge.zip]
VERBOSE: 10:15:18.7709 [PROCESS] [FIL01][EXPAND] file [C:\_temp-log4J\PAD.JavaBridge.zip] to folder [C:\_temp-log4J\ZIP]
VERBOSE: 10:15:22.3803 [PROCESS] [FIL01][REMOVING CLASS][C:\_temp-log4J\ZIP\org\apache\logging\log4j\core\lookup\JndiLookup.class] class [JndiLookup.class]
VERBOSE: 10:15:22.3803 [PROCESS] [FIL01][COMPRESS] file [C:\_temp-log4J\ZIP] to [C:\_temp-log4J\PAD.JavaBridge.zip]
VERBOSE: 10:15:25.3334 [PROCESS] [FIL01][COPY/RENAME] file [C:\_temp-log4J\PAD.JavaBridge.zip] to [C:\_FILES\PAD.JavaBridge.jar]
VERBOSE: 10:15:25.3334 [PROCESS] [FIL01][CLEANUP] Deleting folder [C:\_temp-log4J]
VERBOSE: 10:15:25.5834 [PROCESS] [FIL01][CLEANUP] Status cleanup [Successful]
VERBOSE: 10:15:25.6303 [PROCESS] [FIL01][FILENAME][C:\_FILES\PAD.JavaBridge.jar] Status [CLEANED]
VERBOSE: 10:15:25.6459 [END ] [FIL01] Ending
VERBOSE: 10:15:25.7470 [PROCESS] Closing the runspace pool
VERBOSE: 10:15:25.7470 [PROCESS] Displaying Report

####################################################################
[INFO][STARTTIME] 12/23/2021 10:14:24
[INFO][ENDTIME] 12/23/2021 10:15:25
[INFO][RUNTIME] 00d:00h:01m:01s
ComputerName : FIL01
StartDate : 12/23/2021 10:14:24 AM
Action : Clean
FullName : C:\_FILES\PAD.JavaBridge.jar
Cleaned : True
FileName : PAD.JavaBridge.jar
IpAddress : 10.0.2.201 | 10.0.0.201
QueryDate : 12/23/2021 10:15:25 AM

#>

Viewing a .PS1 file in Preview

About

Log4J vulnerability Script to remove the "JndiLookup.Class" from JAR-files

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages